Carrier-Installed ‘Carrier IQ’ Spyware Found in Android, iOS; Should We Panic?

Last week, research published by security expert Trevor Eckhart pulled back the veil on Carrier IQ, a suite of what can seemingly be described as spyware pre-installed on a wide range of devices by both carriers and vendors.

Eckhart cited a BGR story from September as an early reference to the software, which at that time was thought to be a somewhat benign set of quality-control measures.

“Carrier IQ is used to understand what problems customers are having with our network or devices so we can take action to improve service quality,” a Sprint spokesperson told BGR in September. “It collects enough information to understand the customer experience with devices on our network and how to devise solutions to use and connection problems. We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.”

But Eckhart’s interest was piqued. The security researcher began to dig, and shortly after publishing his findings, he was hit with a cease and desist order from the company behind the software. Clearly, Eckhart was on to something.

“Carrier IQ (CIQ) sells rootkit software included on many US handsets sold on Sprint, Verizon and more,” Eckhart wrote in a report on his website. “Devices supported include android phones, Blackberries, Nokias, Tablet devices and more.”

Advertisement

A rootkit is defined as software that enables access to a device unbeknown to the device’s owner. Carrier IQ defines its own solutions as “Mobile Service Intelligence solutions that have revolutionized the way mobile operators and device vendors gather and manage information from end users.”

With support from the Electronic Frontier Foundation, Eckhart was able to convince Carrier IQ to retract its borderline comical cease & desist order, which had initially complained of the researcher’s use of the term “rootkit” to describe its software. Carrier IQ had also demanded that Eckhart remove the company’s manuals from his site, though these documents had previously been available on Carrier IQ’s own website.

What’s the big deal about Carrier IQ? From Eckhart’s report:

"From training documents found we get an insight to the Carrier IQ Portal. Devices are displayed to the portal operator by individual phone Equipment ID and Subscriber IDs. The “portal administrator” can put devices into categories and see devices in California that have dropped calls at 5pm.

The down side to all of this is the “portal administrator” is also able to “task” a single phone with a profile containing any combinations of metric and trigger. From leaked training documents we can see that portal operators can view and task metrics by equipment ID, subscriber ID, and more. So instead of seeing dropped calls in California, they now know “Joe Anyone’s” location at any given time, what he is running on his device, keys being pressed, applications being used."

References to the software have reportedly been discovered on Android phones, BlackBerry handsets, Nokia devices and even on the most recent public release of Apple’s iOS software. While Nokia has publicly denied the allegations that Carrier IQ software can be found on its Symbian smartphones, other vendors have remained quiet on the matter. Several carriers have seemingly gone into hiding as well, though Verizon Wireless confirmed on record that none of its handsets contain Carrier IQ’s software.

Eckhart estimates that Carrier IQ’s software is currently installed on more than 141 million handsets, and that was before references were found in Apple’s iOS software.

It is likely still too early to panic, however. Despite the extensive coverage this story has garnered across tech blogs and in the media, it remains unclear exactly what Carrier IQ and its clients are doing with this data. It isn’t even clear what data carriers have access to.

We know Carrier IQ software on Android devices can log anything from usage data and location to key strokes and usage habits, but it has not been determined that this data is sent to carriers regularly or at all. Carrier IQ’s software can theoretically be used as a window through which carriers can spy on users in real-time if they so choose, but whether or not the software is used in this manner is also unclear. Going back to Sprint’s statement to BGR from September, “We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.”

Things do look ominous, however. Geek.com has reportedly found ”a potentially significant volume of data being collected” by the software, and Eckhart’s own video shows an alarming amount of data being recorded by Carrier IQ, including keystrokes. Of its monitoring suite, Carrier IQ says simply, “Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain.” The firm goes on to state that it “does not provide real-time data reporting to any customer.”